Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘jihad’ Category

Fancy Bears, CyberCaliphates, and Reporters

leave a comment »

Recently the AP put out a story that links the GRU (Fancy Bear/APT28, whatever you want to call them) to a spate of threats made to five military wives back in 2015 and alleged to have been carried out by Da’esh or the CyberCaliphate. Caliphate is/was/kinda was a loose group of hackers in the Muslim community who carried out a bunch of web defacement’s with slogans like “we love ISIS” etc. Now this isn’t very scary and the group finally got a titular leader in Junaid Hussain, a Brit who went to Jihad after being popped for hacking with an Anonymous group. These disaparate groups of skids are still out there today defacing pages and causing a nuisance but none of them ever rose to the level of being a clear and present danger hacking wise, but Juny, well, Juny became a mouthpiece for da’esh and his popularity got him whacked with a missile in Raqqa.

From AP News

The AP story though, is only tangentially about the CyberCaliphate in that the claims made by the AP are that the five wives who were threatened were in fact not threatened by Caliphate, but instead the GRU carrying out a “False Flag” to make it look like it was the skids. While Juny and whoever else he was working with did in fact dump some military data back in 2015, there were other hacks that went on that people think wasn’t him and the brothers at all but their sophistication means that they had help if not outright wasn’t them at all. The fact of the matter is that finding open source lists of military and other’s details is easy with Google Fu today and no hacking may have been needed for many of these dumps that the ISHD dropped. There were some righteous hacks though and I can easily go with the idea that the Russians and others perhaps had been leveraging these guys names to carry out their own attacks for their own ends,but, this threatening of five military people’s families is a bit of a stretch for me to say is definitively the GRU and not in fact the real ISHD or Caliphate hackers.

My biggest problem with this AP report is that there is little to no details on how they came to the conclusion they reported. In asking the reporter, Raphael Satter, on Twitter I only got sketchy replies on how he/they got this grand conclusion. Basically, his story is that he asked SecureWorks for their data (including personal information it seems of those who got hacked/attacked) and went through all of the phishing emails that were carried out by APT 28 using the bit.ly links to avoid Google filters. Out of all those 4k emails they then saw that the five families were recipients of the phishing emails that APT 28 carried out on the everyone in their large drift net attacks to gather intelligence. AP/Satter then went and rummaged in their closet for the JUMP TO CONCLUSIONS MAT and laid it out to finalize their cognitive bias. From this, and it seems bothering a bunch of military wives previously on the 4k emails that went out they came to the conclusion somehow, that the five were in fact attacked by the GRU because they got those phish. Satter and AP give no details or evidence on this and in my chat with Satter on Twitter he was too busy pub crawling to answer my questions fully on this.

While it is not inconceivable that these families may have been harassed by the GRU for some reason, it is also not a conclusive fact given what has been presented by the AP that they did in fact do this and it was not really the actual ISHD or CyberCaliphate or even just Juny himself. What really needs to happen though, is when a reporter and an agency makes an assertion, but provides little to no evidence of it, it kinda comes off as a grab for attention without truth to back it up, in effect, they did it for the clicks. Now if Satter and AP can provide more conclusive data then I will concede that they are in the right here, but so far they have not. I see no direct connections in the story to anything more than the fact that these ladies got messages on Facebook that were threatening and claimed to be from ISIS. When I asked if Satter had tried to pull the data together to see if these families all had members in FOB’s (Forward Operating Bases) he did not even know what that meant, so I enlightened him. My point being is that if those five members of families were in an area that the Russians wanted to effect some outcome at the time of the attacks, then maybe I could see my way to believing it, but if it was only five, and there is no evidence that they were in positions that the Russians would want to effect, then why do this at all? Why only five? Am I missing something? It all comes back to “Cui bono” or “Who benefits?”

Certainly the AP story is splashy and makes for clicks but I have these concerns as well as I now have to wonder about SecureWorks giving up this data with PERSONAL DATA ATTACHED to the AP. Say, isn’t giving personal data of military and government people to the AP a violation of law somehow? Even of the AP says they are protecting the data, this isn’t really kosher to me, but who am I huh? Maybe just someone with data out there huh? It also makes me wonder how SecureWorks is feeling about all this too. I mean, they had all this data and they did not report this. As Satter said to me; he and a team of people pulled all this together. Well, unless you provide your work it’s just another story and may be in fact incorrect. But back to SecureWorks, why did you guys give this data to the media? What were you thinking?

Screenshot from 2018-05-14 09-12-55

All in all I have had this story sticking in my craw for a while now and I had to get this out. I have worked on the Caliphate and ISHD tracking so I know the players and I know the game. I am certain that in some cases the attacks carried out were more sophisticated and coherent for them to be the actors involved but to make these wild leaps of logic like AP did and then publish them without supporting evidence is bad journalism. In a time when the media want’s to be above board because we have a liar in chief in office who is daily attacking our institutions like the Fifth Estate with disinformation, we need you reporters to do a better job than this. If Satter and AP can provide more than I will be happy. Until then, this story is just that and just adds to the cacophony of fake news and clickbait that I deplore.

K.

UPDATE: One last thought I thought I should add. There is a definite difference between actors here where it comes to ISHD and CyberCaliphate. Two different manners of attacks/hacks and ways of speaking. Look at the image above and look at the language as opposed to most of the defacements and posturing by the UCC. So if you want to say anyone GRU may have done this you would want to call them out as ISHD (Islamic State Hacking Division) as opposed to CyberCaliphate.

Just Sayin.

Written by Krypt3ia

2018/05/14 at 12:33

Posted in Da'esh, ISIL, jihad

MuslimCrypt and Clickbait

leave a comment »

MEMRI talked up a report on a new “steg” program being offered and “used” by da’esh that was then picked up on by Wired (or more to the point someone called from MEMRI offering a story because slow news day at Wired) touting the new scareware booga booga booga that jihadi’s are using STEGO ERMEGERD! Of course this type of encryption has been around all along and in fact, as Wired alludes to, it has even been used by UBL back in the day as well. The fact that there is stego out there is nothing new but this alleged program is, maybe. You see, the problems I have with this assessment and the Wired story sold to them is that there is no real penetration of this software being used as far as can be seen and in fact nowhere on the net can the actual software be found to download.

So yeah, it is not in every da’esh cyber toolbox kids and if anything, it may be an OP trying to pop some of them on Telegram.

Telegram Accounts:

The Telegram accounts involved in this drop also seem to lack some history as well. I looked them up on Telegram and there isn’t much to see at all. Of course it could be that one needs to engage with them to see more but I am not going to do that for this so suffice to say that Google searches of these accounts, the names in them, and iterations thereof come up with nothing useful. In essence what I am saying here is they have “no history” and thus to me should be looked at as cutout accounts to drop this software from and nothing more. This is an important piece of the puzzle too but it seems MEMRI is more interested in selling subscriptions and getting on Wired than they are at being thorough in investigating things like this.

MuslimCrypt.zip and .exe:

Meanwhile one cannot find the software at all nor the zip file anywhere on the net. Not one download link anywhere. No uploads to MEGA, nor any of the other places that you would think that these guys would want to put it so that the jihadi masses can securely talk right?

Nopesauce.

The staggering lack of the file only leads me to believe that it was a drop to entice people to download in-line on Telegram in hopes that the account (MuslimTec) would be a form of watering hole attack. We see this kind of thing all the time in the hacking world and many of those kinds of attacks are carried out by more sophisticated actors. In this case the only place that the file can be seen is on Hybrid Analysis and on VirusTotal and even there there are only one to two drops of the file for testing. In all of these cases the files are not available for download so only one source has uploaded them.

Interesting huh?

So what do we have here so far… One source (MEMRI) sharing a story with Wired about a software package no one really has except MEMRI? How odd is this? Well, kinda odd and to me smacks of two things;

  1. MEMRI got played
  2. This was an OP by a nation state actor looking to own some jihadi’s

I will go into these ideas in some more detail below. Just remember that it is odd that these files are not out there in the forums nor being saved and uploaded for more penetration of use.

Reversal of the binary:

I found that the zip file had been uploaded to Hybrid in January as well as March 4th 2018. The VT upload happened in February 2018 so this has been around and about a bit. Remember though, these are the only instances of the files that I could find, and I REALLY wanted to find a copy. So whoever had the files to upload (assuming it was MEMRI) are the only ones to do so. I looked at the whole sandbox report of the zip and the executable and came up with some interesting factoids for you all.

  1. The language set is German
  2. The language of some of the re-used code snippets are in German, so, I could go either way on this one. Could be a German who did the coding or just someone who knows some and worked on re-used code to make this program
  3. This was cobbled together by someone with some skills
  4. The software does have what seems to be a keystroke recorder built in but it has nothing really to do in sandbox because it is a sandbox and no actual keystrokes are made
  5. Whoever compiled this has a pc name or a folder name on their system of “SultanEasy” with “SultanEasy-2” which, ya know, kinda sounds all code wordy to me

I scoured the internet for “SultanEasy” and “SultanEasy-2” to no avail. Now with that in mind consider that this was a slip up on the part of the coder and that this folder in projects is a code name.

Ponder ponder ponder… A piece of software magically dropped on Telegram by accounts with no history and a binary that has a keystroke logger embedded in it?

Hmmmmmmmmm…..

Oh, by the way MEMRI, your reversal skills suck.

An Op?

Overall, this smells bad and MEMRI seems to have fallen for it or is unable to read a reversal report and strings well enough to see things in perspective.

Could this be an operation by a nation state? Sure.

Could it be another group like Anonymous or some other vigilante group? Sure.

Could it be a serious attempt at making steagnography the go to encryption for jihadi’s today? Yeah no.

Nice clickbait though.

Derp.

K.

 

UPDATE: I was sent this by <REDACTED> this is from a paste of conversation screenshots from the MuslimTec Telegram channel…

Screenshot from 2018-04-02 14-45-24

So yeah, there are many comments in there about spies and even at one point claims of being hacked by dissension…

Just sayin.

Written by Krypt3ia

2018/04/02 at 18:06

Posted in Da'esh, jihad, Jihobbyists

Amaq News Malware Attempt Using Old Malware

with one comment

Amaq Hack:

Vice reported on the Amaq News Agency’s hack and dissemination of malware last week and the report really kind of fails to do much more than attempt to amplify the booga booga of the whole affair. I thought I would go hunt down the sample(s) of the malware and have a looksee for myself. Which is exactly what I did and located two samples of malware that are from other domains owned by the same players. What follows is a run down of those samples (I was unable to find the one mentioned in the story as of yet but did locate the VT assessment of it) and a fuller deconstruction of the domains involved.

As some of you may know, Amaq is just the news site for the dissemination of propaganda so this would be a good target for someone to go after, infect, and hopefully reap the rewards of anyone stupid enough to install the file that was being served out. Interestingly though the malware mentioned in the piece on the 30th is a flash update and the malware I located on the other attached domains is an .apk file that allegedly is for a flash update? In any event, my first impression from the Vice piece was that it was derptastic. You are going to use a 2013 rat that everyone see’s to pwn an alleged 600 click happy jihadi’s?

REALLY?

Right so as the Vice article says the malware was easily seen by a multitude of AV products so really, you are hitting the lowest common denominator here if they click on it and have no AV at all. Of course if you were aiming at phones that would be different but this was an executable binary so.. uhh.. Duh? Right, well the malware in the story was ostensibly just an update to Flash if what has been posted is in fact true. I went to the site listed in the shortlink and no joy on that, nothing there anymore.

Domains:

After checking the domain jiko.at from the url that was serving the malware last week I began tracking down the owner data. What came from that is that the email address of alibenmohaed216@gmail.com is a throw away account as far as I can tell with only three domains being registered with it. Once you look though, you can see that more domains actually had been created by the same actor using the name “dertou” as well. Those domains are ad13.de, amaqqq.xyz, baqiyy.at, and jkikkia.at.

Without going too far down the rabbit hole here I just wanted to point out that these addresses were all created on the 29th of March and deployed along with the other exploit it seems. One of the domains is still live and are serving out the malware:

Now this address would match up with the attempts at trying to get amaq users to go to a bad squatted address and this is where I got the malware I mentioned above (details below) The other domains are all interesting in that some have names that are close to such things as the Da’esh magazine “Baqiya” but others like ad13.de have nothing to do with all that and in fact ad13 is much much older a domain. Ad13 was originally created in around 2013 and was decomissioned around October 2016 with changes made to the domain in July 2016.

When I started looking up the list.ru address I hit a road block for now but I will keep poking at that because I feel that this person is one of the key players if not the key player here. Otherwise there is the usual obfuscation going on with the other addresses out there and as such I am just going to drop them for now. Instead, I will look at the malware and where that is making calls to after dumping the IOC’s on you all.

Here you go!

IOC’s:

Malware:

https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
https://malwr.com/analysis/OTllNDU5YjNkYzVlNDFhOWI1Yzc2YWY0ZWI3NWY0N2Q/ –> Malware
http://urlquery.net/report.php?id=1490856486148
https://virustotal.com/en/file/379cd2fed583c183fc1c5d1597421642f8e6b15af74ec58348e40ee80f227b25/analysis/1490880990/ —> Malware
https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
https://malwr.com/analysis/ZDgyOWFkYTIwNjdlNGJjOWE2MTMwYjQwYmJmNmRiN2M/

Domains:
https://virustotal.com/en/domain/saitamasinse.com/information/
https://www.threatcrowd.org/domain.php?domain=amqqq.xyz
https://virustotal.com/en/domain/saitamasinsefesa1forall.com/information/
https://virustotal.com/en/domain/saitamasinsefesa1formelol.com/information/
https://virustotal.com/en/domain/fgssaitamasinsefesabgformelol.com/information/
https://www.threatcrowd.org/domain.php?domain=saitamasinse.com
https://www.threatcrowd.org/domain.php?domain=ad13.de
https://www.threatcrowd.org/ip.php?ip=66.85.157.86

Malware:

The malware sample I got from the amaq xyz site was named FlashPlayer8x86_x64.exe and downloads as an .apk (Android) file by name obfuscation from the url. Once run it attempts to contact several domains and IP addresses for the second stage.

These addresses don’t actually have sites on them so they are just C2 and in the case of the original malware in the Vice piece there was a site with a gate.php address which may have been an IP collection point or a second stage malware install site. None of these though have the gate.php and the fact that this site is still working makes me think that perhaps this was to be the second wave of attacks had not Vice and other sources reported on the hack. Perhaps though because it is still live the hackers plan on another attempt at going back to the well no?

Overall the sites have been updated recently but have been around a while. The malware is easily detectable by AV, and the RAT is old so was this a real attempt at harvesting or was this some sort of pranksterism or PSYOP? Frankly I can see it both being semi-experienced hackers doing this or more astute actors using easily seen malware to perhaps scare users into not looking at the site anymore. That I could track it back so far to the list.ru user to me says that there may be more to this if I dig further but then I have to be that interested in who may be fucking with amaq.

The fact of the matter is Da’esh is losing ground and losing the interest of those who think they are a righteous Caliphate because they are losing ground. The attempts to garner more lone wolves and perpetuate the jihad with these guys has been too plagiaristic for me. Basically Da’esh stole AQAP’s model but carried it off with less style so once they lose Raqqa they will lose a great deal of cred online in my opinion. Perhaps then they will be less of a threat on the GWOT in that respect… Maybe not.

Anyway, yeah, these guys are soft targets and not the sharpest tools in the tool box so hacking them has never been a challenge. All these insecure PHP sites and their users are easy pickins really so this is a non story to me. It is more interesting to me who may be trying to fuck with them and to determine why exactly. Is this the IC trying to deter them or is this an OpISIS kind of thing?

I am still deciding…

K.

Written by Krypt3ia

2017/04/03 at 18:42

Posted in CyberFAIL, Da'esh, jihad

Ahmad Rahami’s Journal: The Sycophantic Nature of Failed Seekers

leave a comment »

page-1

Ahmad Rahami, the new jihadi wannabe lone wolf du jour made a splash with his bombings of a dumpster and a trash bin on CNN and the other media outlets but let’s really take a closer look at Ahmed and his mindset with the release of his ersatz “journal of jihad” shall we? First off, I am tired of the media coverage and while this was serious, it just show’s you the level of recruit and planning that AQAP/AQ/da’esh have in the US presently and to wit, not very high. Frankly, looking at his journal pieces here I can only surmise that if Ahmad doesn’t have some sort of personality disorder it would greatly surprise me. On the other end of that spectrum, Ahmad clearly is a failed seeker acting out within the confines of his chicken shop malcontent diaspora in search of importance.

page-9

Ahmad opines the usual catch phrase diatribes seen in Inspire or Dabiq and on the web in general on the boards but seems to not really have a greater grasp of his own religion than most of the daeshbag recruits these days. Clearly he has been suckling at the tit of the jihadi propaganda machine and in fact had close contact with recruiters in Afghanistan and Pakistan where he spent a good deal of time in recent years on and off. These guys look for recruits who have weak wills and minds that can be easily swayed. Minds and hearts, ego’s in search of self importance that they lack presently but are told that they will be martyrs for the greater cause if they blow themselves or the far enemy up and it is bullshit.

page-4

page-3

 

page-5

page-6

page-8

All of the propaganda placed by these Khawarij are just a mental virus, neuro-linguistic programming, used to prey on the weak minded souls out there, those failed seekers in order to bring them in and turn them to the Khawarij will. For some time now the security services and governments of the world have been trying to see how they can combat these memetic viruses online and so far no one has been able to come up with a solid solution. Those wh0 are seeking will latch onto anything that they feel an attraction to and it has been since time immemorial. Cults, and religions both rely on this to build their base, belief is key and the means to that end is dogma.

In Ahmad’s diary we see this in action and we see the brain washing and self delusion that goes on here with the repetitive statements in this journal that he used to egg himself on to action. No doubt he wrote this out and continued to do so as he built the bombs. All of this, all the language is a means to an end to justify to himself his actions. Actions fed to him by the propaganda online, in person, and programmed into him and all the others who are willing to listen, to believe, and to act.

Weak minds.

Weak souls.

Pawns of the Khawarij.

I truly hope we can come up with a means to combat such memetic viruses but so far I see no hope of it. Prepare yourselves for the other weak minded jihobbyists out there to try and catch their own brass ring of importance. Just don’t let them enable fear to win and change the course of our governance to a fear based one… Well… One that is more so than it already is.

Dr. K.

Written by Krypt3ia

2016/09/23 at 14:25

Leaderless Jihad and Open Source Jihad: A Marriage Made In Hell.

leave a comment »

7631834-3x2-700x467

In 2013 I wrote about leaderless jihad and the “Stand Alone Complex” Now we are seeing this type of leaderless, “inspired by” thought virus playing itself out on the national stage. Last nights attack using a lorrie was something that was presaged by two issues of Inspire Magazine back in 2010 and 2014. There isn’t much to it really to gather some weapons, steal a truck, and then plow it into a crowd but it has taken this long for the insidious idea to take root in the collective unconscious of the would be jihadi’s. The days of a more rigid and trained “jihad” are being eclipsed by would be unbalanced individuals seeking attention and reinforcement of their sick ideas through the media, the internet, and our collective inability to look away from a tragic scene on a glowing screen.

Screenshot from 2016-07-15 07:00:082014 Inspire

 

Screenshot from 2016-07-15 07:04:082010 Inspire 2 “Ultimate Mowing Machine”

 

Soft targets were always the preferred avenue of attack but now they are becoming seen as a top priority for security forces since the attacks in France and other places like Bangladesh. While Dahka on the face of it had a contingent of more trained individuals the attack last night is as simplistic as they come. This is what is really scaring the populace and the security services because now it seems that the authors and actors of these acts are in fact just one guy and not a cabal that they could perhaps track using pervasive surveillance. A cell of one is hard to track and certainly if they self radicalize by just downloading Inspire magazine and watching YouTube, well, what can one do? There are no easy answers here in the world of detection and prevention.

Screenshot from 2016-07-15 09:26:04

So here we have it, I have been pointing this out for a while and at first it was AQAP trying to inspire “OSJ” or Open Source Jihad. Now Dabiq and Da’esh are carrying it on and furthering it with the media zeitgeist that ensues with each attack. The net effect here is that these people are selfradicalizing with the help of the media’s obsession on covering ad nauseum these acts. The pervasive hand wringing and talking heads only serve to whet the appetite of the would be jihobbyist into action. Forget the Inspire magazines and the videos, just watch CNN and that is enough it seems. This all is very much like the plot line to “The Laughing Man” arc of Ghost In The Shell. An act carried out on the media instilled others to carry out like acts to be on the media and further the idea(l) as well as serve as a means to self fulfil the actors need for attention and satisfaction.

laughing-man

This is pure psychology at work and there are a host of reasons and syndromes that could likely be pointed at to rationalize it’s happening. The fact of the matter is that now we are seeing it play out rather bloodily on the streets of the world in furtherance of an idea and ideal set that lends itself to the like minded.. Or should I say mentally ill? Yes, I would say mentally ill. These actors are acting out and likely have some borderline tendencies to start with. These people feel outcast in their societies or out of place within the societies they are living in as a second generation citizen. It is a complex thing to nail down and I suggest that anyone who might want to delve into it further read “Leaderless Jihad” by Marc Sageman.

We need a more nuanced approach to the GWOT and I am afraid we won’t get that…

K.

 

Cyber Jihad Marketing: Yelling FIRE! In A Crowded Theater

leave a comment »

Screenshot from 2016-06-20 07:37:15

 

Recently, a reporter that I know came to me asking if I would look at this ICIT-Brief-The-Anatomy-of-Cyber-Jihad1 and give input on it. They wanted to have my opinion because the firm that wrote it was seeking a reporter to flog it on their news site. I told the reporter after looking at the “analysis” this exact quote; “This report is the marketing equivalent of yelling fire in a crowded theater” Well, it seems that CNBC bought it though and my hand has been forced to write about this travesty. ( CNBC Report that forced my hand ) I told the reporter to back away slowly and to their credit they did. CNBC not so much. So here I am going to outline how this report is full of marketing and cognitive bias and wild assumptions. Oh, and that is if you can get past the hyperbolic language in the first graph…

Screenshot from 2016-06-20 08:47:58

I shit you not..

Cyber Caliphate & Junaid Hussain:

The report goes on a long time talking about Da’esh and their origins. While much of that data is right on the report starts to go off the rails once they begin talking about the “cyber” part of the picture. They start off by talking about Juny and his cybering, the defacements out there, and the propaganda war that is still ongoing by the likes of Da’esh, AQAP, Boko Haram, etc. Which is all fine, mostly accurate, but then they start to talk about “possible capabilities” after they just pretty much said “They aren’t that capable” Cognitive dissonance much there guys? The truth of the matter is that to date, the propaganda war is the biggest and most dangerous war here, not the so called cyber war that this “analysis” is pimping. I have been following this stuff since 2001 and Juny is the new Younis Tsouli really, both were/are moderately skilled in hacking but not much more than that. Both were much more a propaganda figures, and more dangerous in that capacity than any of their hacking skills. In fact, in the case of Younis, he got the heat and popped for that very reason, he was making a splash and attracting followers. Juny had that very same skill set and became much bigger a deal because he caught the zeitgeist for the jihobbyists out there with his mouth on Twitter. This is why he was killed with a hellfire, not because he hacked any big databases or got the real dope from some hack. In short, both were a danger because they had followers, and those followers were radicalising off of their jihadi bluster online and caches of propaganda from the main marketing teams of their respective terrorism groups. (AQ for Younis and Da’esh for Juny)

Screenshot from 2016-06-20 07:45:48

Of course the report would not be scary enough without the “Cyber Caliphate” an operation that Juny lamented was just him, no one else, before he got whacked on Telegram. That’s right kids, Juny was pimping something and making shit up. Once Juny got whacked you know what happened? Groups of guys like Team Fallaga took up the mantle and went on to deface pages like the dickens! “OOH SCARY DEFACEMENT BRO” While the report states this, and some of the other information I just mentioned, they then go on to analyse and say that these guys aren’t capable now but someday… SOMEDAY they could be. Oh really? You don’t say! Sure it is possible but it is not likely. Given that most APT activity takes money, time, and cohesion, the jihadi’s are all over the place and usually small disparate groups of skiddies, not solid hackers. So, the scare tactic of analysis is way off the mark in this report and this is why I told the reporter to step back slowly from their pitch. If this group had left it at that, it could happen but it is not likely I would have had some respect for them. Instead they chose the other scare the client into buying shit route. As for Cyber Caliphate and all their other silly acronyms, none have shown that they are a credible threat to much else than an insecure web page. No real data has been hacked and their “data drops” of enemies to kill have all come from open sources on the internet. Sure, is it problematic that they are doing this? Sure. Is it a clear and present danger of cyber capabilities that they could strike the grid next?

No.

Just stop.

Jihadi Helpdesk

PSSSST hey morons.. There is no Helpdesk

Screenshot from 2016-06-20 07:46:05

I need not say more right?

… But I will.

DO YOUR GOD DAMNED HOMEWORK AND QUITE THE FEAR MONGERING FOR MONEY!

CYBER JIHADI DARKNETS

Of course these guys could not miss an opportunity to scare and of course they had to use the scary “Dark Net” or “Deep Web” I have been on the dark net for a long time and I will tell you I have found a few sites but nothing there is that scary. In fact, to date, the sites either have been hacked soon after and taken down, or just sit unused. So really, the dark net is no threat here. Sure, the jihadi’s are using technology to obfuscate their chats now and trying to hide in the “deep web” of un-spidered content but the reality is most of this stuff is non operational. What the jihad today (Da’esh) wants mostly is to radicalize and activate those in the US like Omar Mateen without even really having contact with them.

Screenshot from 2016-04-29 13:12:15

So, the darknet… Not so much a terrorist haven kids. Sorry

https://krypt3ia.wordpress.com/2015/11/15/the-first-official-daesh-darknet-bulletin-board-has-arrived/

https://krypt3ia.wordpress.com/2015/11/18/daesh-darknet-under-the-hood/

Overall Analysis of Scare Marketing and Cognitive Bias

This report is a travesty of a tissue of what if’s that really is just a pulp thriller wannabe disguised thinly as a marketing piece cum serious analysis of Jihad online.

Please believe none of it.

Dr. K.

Written by Krypt3ia

2016/06/20 at 12:50

Inspire 14: Assassination Operations and Dabiq 11: The War of Coalitions

with 2 comments

mags

 

Well it has been some time since I cared enough to actually look at the media being put out by Da’esh (Al-Hayat) never mind the ever present Inspire magazine put out by AQAP and Al-Malahem. Things however have reached a point where I am going to speak up again on what is going on with the GWOT as it is called. Yesterday there was a report put out about fifty intelligence analysts who officially complained about their analysis products being cherry picked or edited to suit the administrations needs and this in tandem with the drops of both magazines at nearly the same time had my interest piqued. It feels like once again history is repeating itself with intel being managed or changed to suit the needs of the politicians who are the consumers of that intel. Does anyone really remember the run up to the Iraq invasion and the machinations of the WHIG at all today? I guess in the vast sea of what is claimed to be journalism, the truth of matters is often lost but if you pay attention sometimes you can get some clarity.

The biggest part of the revelations by the intelligence community analysts is that they say we are losing ground with Da’esh in reality, not as the administration would like us all to think. Personally for me I have been of the opinion that drone strikes and a propaganda war has done absolutely nothing for the greater good and that we are in fact stagnant in ideas or means to stop the Middle East from becoming a sectarian bastion. The “Land War in Asia” thing aside, we have no real good plan for helping the moderates because we keep propping up the despots as bulwarks or as necessary evils in the game of Middle East Go. Since I am not a politician, nor am I anyone with any real pull I am stuck here just watching the conflagration while the rest of the world accepts media word-smithing ‘refugee’ to ‘migrant’ with bile rising in my throat.

Anyway….

Back to the magazines and their coincidental dropping at the same time on the same day. In looking at them they are both quite different in tone and direction. While the Inspire is the usual ideologue format it has some scary content in that it is giving directed ideas to the would be jihobbyists with their OSJ (Open Source Jihad) sections ranging from how to make a hand grenade to a call for the ‘Lone Wolf Caravan’ to carry out assassination operations. This call for the assassination ops has been one of the more focused notional magazines that I have seen out of AQAP and as such, with the successful attacks in recent past by lone wolves or small groups of actors without direct training by AQ/AQAP/Da’esh is concerning. Given the media savvy approach of the magazine with Inspire and then the alternative wind up of slick media on youtube by Da’esh, I have to think the synergy would create some new converts. Honestly folks, watching all this play out is much like watching the evolution of Batman and Joker.

Inspire 14

Here are some highlights from the Inspire 14 issue:

 

Screenshot from 2015-09-10 08:50:38

Screenshot from 2015-09-10 09:06:41Notice that the hybrid of separate groups of lone wolves and trained operational assets is being espoused (ala Hebdo)

Screenshot from 2015-09-10 09:24:15Using our own data in the media against us it seems. TSA is really just a street theater version of security anyway.

Screenshot from 2015-09-10 09:25:23

Screenshot from 2015-09-10 09:25:47 Screenshot from 2015-09-10 09:26:04Target choice here is interesting. Going after the intelligentsia? Are they less likely to be carrying?

Screenshot from 2015-09-10 09:26:21

Screenshot from 2015-09-10 09:28:07

Screenshot from 2015-09-10 09:28:18

Screenshot from 2015-09-10 09:31:04As you can see they are lining this all up for the jihobbyist.. Go pick someone out, find out everything about them with OSINT, and then choose your attack.

Screenshot from 2015-09-10 09:32:04Yet another IED but this time they want to have hand grenades much like the attack in Mumbai. The plans are simple and effective. One only hopes that some of these guys make a mistake and lose a limb in process

Screenshot from 2015-09-10 09:33:15They go on to offer targets like these you see here. Larry Ellison? Really? What did Oracle do to Islam? Bill Gates? What you are anti vaxers too?

Dabiq 11

Dabiq though, is another story altogether. It seems that the boys at Al Hayat are very very wordy. In their mag we have much more pedantic text concerning the millenarian ideal that Da’esh is purported to have. Though really only one section of the magazine has a direct line to that ideology at all. The rest is text, lots and lots of it, that may as well just be great swaths of the Qu’ran for all I care. I guess overall though I have to equate the Dabiq to everything I have seen out of Ayman Zawahiri on the depth and breadth of pedantic arguments. Ayman and others like to spout all kinds of erudite scripture while the AQAP guys are ‘BLOW SOME SHIT UP!” which is odd given the nature of the media campaign we see on Twitter and YouTube by Da’esh. There is some disconnect here in the Dabiq magazine with all the text but they do try to intersperse some blood and guts type of things as well to keep the reader interested.

Frankly, I think Da’esh are still trying to figure out the magazine business…

 

Highlights from Dabiq 11

 

 

Screenshot from 2015-09-10 09:46:02Interspersed pages with vid caps leading you to YouTube and their usual outlets. Note the cognitive dissonance of beheadings and happy Eid!

 

Screenshot from 2015-09-10 09:46:21Millennial? You want Millennial? Here you go. That’s about it really. The Mahdi.. Wooooo.

Screenshot from 2015-09-10 09:49:45Obviously they think that blowing up ruins is the shizzle. Yeah yeah, it’s all about the rhetoric (which goes on and on in the text) about fighting the kuffir and Rome.

Screenshot from 2015-09-10 09:51:15OH LOOK MORE VIDEOS!

 

Screenshot from 2015-09-10 09:59:24This stuff here… Well they always have to make their money it seems. Fuckers.

 

Screenshot from 2015-09-10 10:17:11Lastly, they have a section of “in the enemy’s own words” which is media coverage. In this case they picked up on a piece by Mike Scheuer which I will talk about below.

ASSESSMENT:

In an ideological war such as we are seeing played out by vying Islamist parties like Da’esh and AQAP the clear winner in trying to evince a more stable and likely successful attack by a jihobbyist would be what you see in Inspire. This has been the modus operandi of AQAP for some time anyway so there is nothing new. Meanwhile if you watch the news and look at the article written by Mike Scheuer Da’esh has been not only making noise online but also able to take key areas of the region physically. There is a propaganda war being played out but how much of that is really germane to the GWOT as a whole? With the death of Junaid Hussein for being a propaganda mouthpiece for Da’esh and the fallout since calling into question the extra-judicial nature of the killing one can see how much more prescient in the news cycle the propaganda war seems to be while the actual physical boots on the ground war is seemingly absent.

So yes, these two magazines show the varying ideals of how they want to prosecute the jihad. Da’esh seems to be very focused on the grounds for their beliefs to bolster their claim of a Caliphate while AQAP is actually prosecuting the war against the West hoping that players in the West will act. Given the nature of Inspire I can see this happening much more possibly than anyone sitting down for a good read of Dabiq. Frankly Dabiq is much like it’s cleric, shadowy, full of rhetoric, and in the end likely to be empty of any real Muslim ardour for religions sake. Either Abu Bakr is an Islamist Jim Jones cum Joker or he is a wannabe Ernst Stavro Blofeld in my mind.

My primary concern now is that Inspire has laid out some new ideas that the jihobbyists will take up and use. These are not super secret methods but things that with the advent of the internet are even easier to carry off (i.e. OSINT, planning, connecting etc) to carry off an assassination. It is also more a matter of action than it is discourse or belief in the Qur’an the way that the AQAP guys present the material. Sure the underpinnings are all about being a good Muslim and ridding the ummah of the West’s boot on their collective throat (perceived) but they are second to the slick pictures and notions of being a James Bond figure.

Finally, when Da’esh reaches the same point with their magazine I will worry more that a flotilla of fanboys will latch onto their crazy with much more information and perhaps pull off an assassination. Until then, I will just watch the propaganda war play out as we really do not much of anything in the field to really root out the problem in the first place. The games must end and this tit for tat drone war is not going to do it for us.

ANCILLARY DATA:

As an interesting aside to the more technical out there. When getting the new issues of the magazines it came to light that someone has been playing with the supply chain again. The August 31 drop of the alleged Dabiq 11 issue not only on archive.org but also on a slew of shortened addresses (t.co) were actually malware.

Screenshot from 2015-09-10 16:31:19

In this case the malware seems to have been a keylogger. I have seen other files come out the same way and one has to wonder if it is the IC or if it the guys playing the home game. In any case, when you download these things be sure you run them through some tests. That is unless you don’t care about being pwn3d by a nation state.

Screenshot from 2015-09-10 16:31:03

Cheers,

K.

Written by Krypt3ia

2015/09/10 at 20:35

Posted in Inspire, jihad